topic Firepower 4110 reachability in Network Security https://community.cisco.com/t5/network-security/firepower-4110-reachability/m-p/3817907#M132530 <P>Hi. I have a Firepower 4110 device which my colleague has reset its password. Now we can ping its management IP address but cannot connect to that IP address via HTTP(s)/Telnet/SSH. Even I didn't managed to connect to that IP address while I attached my computer directly to that management port via an Ethernet cable, but as I said, the ping works fine. I connected my pc to the console port of the device and got these outputs:</P> <P>&nbsp;</P> <PRE>FTD4110# scope system FTD4110 /system # show firmware monitor FPRM: Package-Vers: 2.4(1.214) Upgrade-Status: Ready Fabric Interconnect A: Package-Vers: 2.4(1.214) Upgrade-Status: Ready Chassis 1: Server 1: Package-Vers: 2.4(1.214) Upgrade-Status: Ready</PRE> <P>and:</P> <PRE>FTD4110# show system Systems: Name Mode System IP Address System IPv6 Address ---------- ----------- ----------------- ------------------- FTD4110 Stand Alone 10.106.6.194 ::</PRE> <P>There is no "<STRONG>Connect ftd</STRONG>" command, (I mean&nbsp;"<STRONG>ftd</STRONG>" keyword) on the FXOS CLI. How could I re-innitiate the initial configuration setup or know if FTD has been installed on the device.&nbsp;</P> <PRE>FTD4110# connect ? adapter Mezzanine Adapter cimc Cisco Integrated Management Controller fxos Connect to FXOS CLI local-mgmt Connect to Local Management CLI module Security Module Console </PRE> <P>&nbsp;</P> <P>I used the "connect fxos A" command and ran "show run" and this is the output. It seems the device has some configs but I don't know if this is the reason that I cannot connect to the management port of the 4110 chassis.&nbsp;</P> <PRE>FTD4110(fxos)# show running-config ! version 5.0(3)N2(4.41) switchname FTD4110 ! feature npiv feature telnet feature tacacs+ no cfs distribute feature private-vlan feature port-security feature udld feature lacp feature vmfex feature lldp feature fex feature network-segmentation-manager ! ip domain-lookup aaa group server tacacs+ tacacs ! mac access-list ssp_acl_ccl_tcp_dst mac access-list ssp_acl_ccl_tcp_src mac access-list ssp_acl_ccl_udp_dst mac access-list ssp_acl_hb 10 permit any any vlan 4047 mac access-list ssp_acl_mgmt ! fex management-instance 9e9c4214-40d4-11e9-8efa-ed40b3863645 fabric 1 ntp master 8 ! vrf context management vlan 1,101-148,1001-1048,2001 vlan 4044 name SAM-vlan-management vlan 4047 name SAM-vlan-boot no spanning-tree vlan 1-3967,4044-4093 vethernet auto-create port-profile default max-ports 512 port-profile default port-binding static port-profile type vethernet NSM_template_vlan guid 25c7cc21-4efb-49c3-8474-c84aeddd381a no shutdown description ort-profile for VLAN networks. Do not delete. state enabled port-profile type vethernet NSM_template_segmentation guid 088f6ef5-9091-4712-a815-b6cf0bebe641 no shutdown description ort-profile for VXLAN networks. Do not delete. state enabled port-profile type vethernet ucsm_internal_rackserver_portprofile guid c86b9396-d1e4-41d9-95f5-a1e9c2f15c16 switchport trunk allowed vlan 4044 switchport mode trunk no shutdown max-ports 320 state enabled dvs-name all ! interface port-channel48 description U: Uplink switchport mode dot1q-tunnel lacp suspend-individual lacp max-bundle 16 switchport trunk native vlan 1048 speed 10000 duplex full ! interface Ethernet1/1 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 101 duplex full udld disable ! interface Ethernet1/2 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 102 duplex full udld disable ! interface Ethernet1/3 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 103 duplex full udld disable ! interface Ethernet1/4 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 104 duplex full udld disable ! interface Ethernet1/5 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 105 duplex full udld disable ! interface Ethernet1/6 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 106 duplex full udld disable ! interface Ethernet1/7 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 107 duplex full udld disable ! interface Ethernet1/8 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 108 duplex full udld disable ! interface Ethernet1/9 switchport vntag max-vifs 118 switchport mode vntag no shutdown ! interface Ethernet2/1 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 117 duplex full udld disable ! interface Ethernet2/2 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 118 duplex full udld disable ! interface Ethernet2/3 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 119 duplex full udld disable ! interface Ethernet2/4 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 120 duplex full udld disable ! interface Ethernet2/5 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 121 duplex full udld disable ! interface Ethernet2/6 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 122 duplex full udld disable ! interface Ethernet3/1 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 133 speed auto duplex full udld disable ! interface Ethernet3/2 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 134 speed auto duplex full udld disable ! interface Ethernet3/3 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 135 speed auto duplex full udld disable ! interface Ethernet3/4 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 136 speed auto duplex full udld disable ! interface Ethernet3/5 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 137 speed auto duplex full udld disable ! interface Ethernet3/6 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 138 speed auto duplex full udld disable ! interface Ethernet3/7 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 139 speed auto duplex full udld disable ! interface Ethernet3/8 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 140 speed auto duplex full udld disable ! interface mgmt0 shutdown force ip address 10.106.6.194/24 line console line vty no ip igmp snooping ldap-server port 0 ldap-server TLS version aaa group server ldap ldap network segment manager switch dvs name FTD4110 network segment policy default_vlan_template description Default template used for VLAN backed pools type vlan import port-profile NSM_template_vlan network segment policy default_segmentation_template description Default template used for isolation backed pools type segmentation import port-profile NSM_template_segmentation FTD4110(fxos)#</PRE> <P>Regards;</P> Tue, 12 Mar 2019 09:24:19 GMT ciscoworlds 2019-03-12T09:24:19Z Firepower 4110 reachability https://community.cisco.com/t5/network-security/firepower-4110-reachability/m-p/3817907#M132530 <P>Hi. I have a Firepower 4110 device which my colleague has reset its password. Now we can ping its management IP address but cannot connect to that IP address via HTTP(s)/Telnet/SSH. Even I didn't managed to connect to that IP address while I attached my computer directly to that management port via an Ethernet cable, but as I said, the ping works fine. I connected my pc to the console port of the device and got these outputs:</P> <P>&nbsp;</P> <PRE>FTD4110# scope system FTD4110 /system # show firmware monitor FPRM: Package-Vers: 2.4(1.214) Upgrade-Status: Ready Fabric Interconnect A: Package-Vers: 2.4(1.214) Upgrade-Status: Ready Chassis 1: Server 1: Package-Vers: 2.4(1.214) Upgrade-Status: Ready</PRE> <P>and:</P> <PRE>FTD4110# show system Systems: Name Mode System IP Address System IPv6 Address ---------- ----------- ----------------- ------------------- FTD4110 Stand Alone 10.106.6.194 ::</PRE> <P>There is no "<STRONG>Connect ftd</STRONG>" command, (I mean&nbsp;"<STRONG>ftd</STRONG>" keyword) on the FXOS CLI. How could I re-innitiate the initial configuration setup or know if FTD has been installed on the device.&nbsp;</P> <PRE>FTD4110# connect ? adapter Mezzanine Adapter cimc Cisco Integrated Management Controller fxos Connect to FXOS CLI local-mgmt Connect to Local Management CLI module Security Module Console </PRE> <P>&nbsp;</P> <P>I used the "connect fxos A" command and ran "show run" and this is the output. It seems the device has some configs but I don't know if this is the reason that I cannot connect to the management port of the 4110 chassis.&nbsp;</P> <PRE>FTD4110(fxos)# show running-config ! version 5.0(3)N2(4.41) switchname FTD4110 ! feature npiv feature telnet feature tacacs+ no cfs distribute feature private-vlan feature port-security feature udld feature lacp feature vmfex feature lldp feature fex feature network-segmentation-manager ! ip domain-lookup aaa group server tacacs+ tacacs ! mac access-list ssp_acl_ccl_tcp_dst mac access-list ssp_acl_ccl_tcp_src mac access-list ssp_acl_ccl_udp_dst mac access-list ssp_acl_hb 10 permit any any vlan 4047 mac access-list ssp_acl_mgmt ! fex management-instance 9e9c4214-40d4-11e9-8efa-ed40b3863645 fabric 1 ntp master 8 ! vrf context management vlan 1,101-148,1001-1048,2001 vlan 4044 name SAM-vlan-management vlan 4047 name SAM-vlan-boot no spanning-tree vlan 1-3967,4044-4093 vethernet auto-create port-profile default max-ports 512 port-profile default port-binding static port-profile type vethernet NSM_template_vlan guid 25c7cc21-4efb-49c3-8474-c84aeddd381a no shutdown description ort-profile for VLAN networks. Do not delete. state enabled port-profile type vethernet NSM_template_segmentation guid 088f6ef5-9091-4712-a815-b6cf0bebe641 no shutdown description ort-profile for VXLAN networks. Do not delete. state enabled port-profile type vethernet ucsm_internal_rackserver_portprofile guid c86b9396-d1e4-41d9-95f5-a1e9c2f15c16 switchport trunk allowed vlan 4044 switchport mode trunk no shutdown max-ports 320 state enabled dvs-name all ! interface port-channel48 description U: Uplink switchport mode dot1q-tunnel lacp suspend-individual lacp max-bundle 16 switchport trunk native vlan 1048 speed 10000 duplex full ! interface Ethernet1/1 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 101 duplex full udld disable ! interface Ethernet1/2 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 102 duplex full udld disable ! interface Ethernet1/3 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 103 duplex full udld disable ! interface Ethernet1/4 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 104 duplex full udld disable ! interface Ethernet1/5 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 105 duplex full udld disable ! interface Ethernet1/6 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 106 duplex full udld disable ! interface Ethernet1/7 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 107 duplex full udld disable ! interface Ethernet1/8 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 108 duplex full udld disable ! interface Ethernet1/9 switchport vntag max-vifs 118 switchport mode vntag no shutdown ! interface Ethernet2/1 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 117 duplex full udld disable ! interface Ethernet2/2 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 118 duplex full udld disable ! interface Ethernet2/3 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 119 duplex full udld disable ! interface Ethernet2/4 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 120 duplex full udld disable ! interface Ethernet2/5 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 121 duplex full udld disable ! interface Ethernet2/6 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 122 duplex full udld disable ! interface Ethernet3/1 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 133 speed auto duplex full udld disable ! interface Ethernet3/2 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 134 speed auto duplex full udld disable ! interface Ethernet3/3 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 135 speed auto duplex full udld disable ! interface Ethernet3/4 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 136 speed auto duplex full udld disable ! interface Ethernet3/5 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 137 speed auto duplex full udld disable ! interface Ethernet3/6 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 138 speed auto duplex full udld disable ! interface Ethernet3/7 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 139 speed auto duplex full udld disable ! interface Ethernet3/8 description U: Uplink no cdp enable switchport mode dot1q-tunnel switchport trunk native vlan 140 speed auto duplex full udld disable ! interface mgmt0 shutdown force ip address 10.106.6.194/24 line console line vty no ip igmp snooping ldap-server port 0 ldap-server TLS version aaa group server ldap ldap network segment manager switch dvs name FTD4110 network segment policy default_vlan_template description Default template used for VLAN backed pools type vlan import port-profile NSM_template_vlan network segment policy default_segmentation_template description Default template used for isolation backed pools type segmentation import port-profile NSM_template_segmentation FTD4110(fxos)#</PRE> <P>Regards;</P> Tue, 12 Mar 2019 09:24:19 GMT https://community.cisco.com/t5/network-security/firepower-4110-reachability/m-p/3817907#M132530 ciscoworlds 2019-03-12T09:24:19Z Re: Firepower 4110 reachability https://community.cisco.com/t5/network-security/firepower-4110-reachability/m-p/3817997#M132531 <P>Are you trying to reach the Chassis management or the FTD management ip address?</P> <P>&nbsp;</P> <P>For Chassis management, do the following to check if there is an ip-block, I have seen this set to block all ssh/https/snmp on initial setup</P> <P>&nbsp;</P> <P>Firepower-chassis # scope system<BR />Firepower-chassis /system # scope services</P> <P>Firepower-chassis /system/services # sh ip-block</P> <P>&nbsp;</P> <P>Try adding an entry for your source ip address:</P> <P>&nbsp;</P> <P>scope system<BR />scope services<BR />create ip-block &lt;aaa.bbb.ccc.ddd&gt; &lt;cidr&gt; https<BR />create ip-block &lt;aaa.bbb.ccc.ddd&gt; &lt;cidr&gt; ssh<BR />commit-buffer</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 12 Mar 2019 11:25:54 GMT https://community.cisco.com/t5/network-security/firepower-4110-reachability/m-p/3817997#M132531 Rahul Govindan 2019-03-12T11:25:54Z Re: Firepower 4110 reachability https://community.cisco.com/t5/network-security/firepower-4110-reachability/m-p/3818015#M132532 <P>Assume. It worked and I connected to the Firepower Chassis Manager. It seems device has no FTD or ASA. Is it possible to install FTD on the chassis via&nbsp;Firepower Chassis Manager web page?</P> Tue, 12 Mar 2019 12:02:23 GMT https://community.cisco.com/t5/network-security/firepower-4110-reachability/m-p/3818015#M132532 ciscoworlds 2019-03-12T12:02:23Z